Troubleshoot the Splunk Supporting Add-on for Active Directory

When an app that uses the Splunk Supporting Add-on for Active Directory cannot complete a search, it notifies you by displaying an error message in the Splunk status bar (at the top of your browser window), as follows:

Other Issues

If you encounter a problem where queries with SA-LDAPsearch fail despite successfully testing a connection that you set up on the configuration page, make sure that the user that you log into Splunk Enterprise as has the admin_all_objects capability. This capability must be present because the configuration page saves passwords as storage passwords, and only this capability allows users to read storage passwords.

If you cannot grant the admin_all_objects capability, as a workaround, you can use a clear-text password and obfuscate that password with base-64 encoding. In this case, however, you can not use the configuration page to save the password nor can you test the connection. This is because the configuration page moves any clear-text passwords to storage passwords when you save the configuration.

You must edit ldap.conf with a text editor and save the password(s) that way, and then use the ldaptestconnection command to test the configuration.

The ldapfetch, ldapfilter, and ldapgroup commands expand the domain option based on input record values. This means that you cannot always use the domain option value to query for schema before processing records. The commands rely on the default domain when querying for schema instead. One reason for this is that they must know what column names to add to the output record stream for every domain they might query.

To fix this problem, configure the default domain so that it connects to the global catalog server for your Active Directory Domain Services (AD DS) forest. A global catalog server is a domain controller that stores a full copy of all objects in the directory for its host domain and a partial, read-only copy of all objects for all other domains in the forest. Global catalog servers respond to global catalog queries. They have a copy of the schema that applies to every domain in your forest.

Some attributes are not available, and associated searches do not return results

Some attributes are constructed. This means that they get their values as a result of computation from other attributes.

Constructed attributes cannot be used in LDAP filters. Exceptions to this rule are the attributes createTimeStamp,modifyTimeStamp>, objectClass, and structuralObjectClass. Constructed attributes cannot be returned as value data in an LDAP search request unless you specify scope=base which means that the LDAP client accesses only a single object. It is not possible, for example, to search for all objects in a container and specify a constructed attribute as one of the requested attributes in that search.

Slow performance on queries to Active Directory with large number of users

To improve performance on queries against ADs with large numbers of users, select only the query attributes you need to complete your analysis. For example, if you need just two attributes, distinguishedName and sAMAccountName, say so. Use this command:

The former, more specific command reduces the total volume of data that it retrieves from Active Directory and passes through the search pipeline dramatically. This strategy significantly improves performance and reliability.

Unable to query Active Directory anonymously

By default, Active Directory disables anonymous binding. Until you enable it, errors like this occur:

dc-1.msapps.local: Could not access the directory service at ldaps://dc-
1.msapps.local:3269: 000004DC: LdapErr: DSID-0C09072B, comment: In order to
perform this operation a successful bind must be completed on the connection.,
data 0, v2580"

To enable anonymous binding you must change the seventh bit of the dsHeuristics attribute on the CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in forest directory object.

Valid values for the dsHeuristics attribute are 0 and 2. By default, the dsHeuristics attribute is not set, which is the same as if it were set to 0. If you set the seventh character to 2, anonymous clients can then perform any operation that the access control list (ACL) permits. If the attribute has been set, do not modify any bits in the dsHeuristics string other than the seventh. If the value has not been set, make sure that you provide the leading zeros up to the seventh bit. You can use the Active Directory Service Interface (ADSI) Editor Microsoft Management Console snap-in (adsiedit.msc) to make the change to the dsHeuristics attribute.

After you set the attribute, if you want anonymous users to be able to query Active Directory, you can enable anonymous access to specific directory objects. Users gain anonymous access to Active Directory objects through Anonymous Logon, which is a special security identifier (SID) that AD uses to represent anonymous network callers that perform an LDAP bind with NULL credentials.

SA-LDAPsearch does not return custom AD attributes

Active Directory does not replicate new attributes to the Global Catalog by default. If you run a query against a Global Catalog server and specify an attribute that has not been replicated to the GC, that attribute will not appear in a result of a query initiated by SA-LDAPsearch. To fix the problem, use the Active Directory Schema MMC snap-in to edit the attribute and enable replication to the Global Catalog. Next, restart the computer or Active Directory and attempt the query in SA-LDAPsearch again.

SA-LDAPsearch generates "The default configuration stanza for ldap.conf is missing" errors in a distributed Splunk Enterprise or Splunk Cloud environment

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »